Summary | ZeroBOX

File_pass1234.7z

KeyLogger PWS Escalate priviledges AntiVM AntiDebug
Category Machine Started Completed
FILE s1_win7_x6402 July 19, 2023, 2:42 p.m. July 19, 2023, 2:44 p.m.
Size 5.3MB
Type 7-zip archive data, version 0.4
MD5 46ad54c4ee3c4d92f87f62c0d7ca7c38
SHA256 8cf5d9cfe95a53fd7029349306b6d6eb98e39973df594ccab6440cade9e4c2bc
CRC32 63B4F273
ssdeep 98304:U4mL0QH58l7kj5Le5v5bOdL+QpifZQMwYvzqMmZtwWsfJPVRr+B8A:U4c0llYj5WbapiW3HfngrK1
Yara None matched

IP Address Status Action
103.100.211.218 Active Moloch
104.17.214.67 Active Moloch
104.26.4.15 Active Moloch
104.26.5.15 Active Moloch
142.251.220.36 Active Moloch
147.135.165.22 Active Moloch
148.251.234.83 Active Moloch
148.251.234.93 Active Moloch
154.221.26.108 Active Moloch
156.236.72.121 Active Moloch
157.254.164.98 Active Moloch
163.123.143.4 Active Moloch
164.124.101.2 Active Moloch
172.67.75.163 Active Moloch
176.113.115.135 Active Moloch
176.113.115.136 Active Moloch
176.113.115.84 Active Moloch
176.113.115.85 Active Moloch
176.123.9.142 Active Moloch
176.123.9.85 Active Moloch
194.169.175.128 Active Moloch
194.169.175.138 Active Moloch
194.195.113.17 Active Moloch
194.26.135.162 Active Moloch
213.91.128.133 Active Moloch
34.117.59.81 Active Moloch
45.12.253.74 Active Moloch
45.143.201.238 Active Moloch
45.15.156.229 Active Moloch
46.173.215.12 Active Moloch
62.122.184.92 Active Moloch
77.91.124.40 Active Moloch
77.91.68.3 Active Moloch
77.91.68.56 Active Moloch
80.66.75.254 Active Moloch
80.66.75.4 Active Moloch
87.120.88.198 Active Moloch
87.240.132.67 Active Moloch
91.215.85.147 Active Moloch
94.142.138.131 Active Moloch
95.142.206.1 Active Moloch
95.142.206.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49178 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49178 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49179 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49179 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49180 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
UDP 192.168.56.102:65226 -> 164.124.101.2:53 2016778 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49174 -> 172.67.75.163:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49185 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49174 -> 172.67.75.163:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 176.113.115.84:80 -> 192.168.56.102:49189 2400021 ET DROP Spamhaus DROP Listed Traffic Inbound group 22 Misc Attack
TCP 192.168.56.102:49185 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49174 -> 172.67.75.163:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49173 -> 94.142.138.131:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49195 -> 194.195.113.17:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49195 -> 194.195.113.17:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49196 -> 194.195.113.17:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49191 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49191 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49192 -> 194.195.113.17:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49192 -> 194.195.113.17:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49204 -> 194.195.113.17:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49204 -> 194.195.113.17:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49204 -> 194.195.113.17:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.195.113.17:443 -> 192.168.56.102:49204 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 194.195.113.17:443 -> 192.168.56.102:49204 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49199 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 176.113.115.84:8080 -> 192.168.56.102:49203 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 176.113.115.84:8080 -> 192.168.56.102:49203 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.113.115.84:8080 -> 192.168.56.102:49203 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.102:49175 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49175 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49175 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49193 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49193 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49202 -> 194.195.113.17:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49202 -> 194.195.113.17:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49202 -> 194.195.113.17:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.195.113.17:443 -> 192.168.56.102:49202 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 194.195.113.17:443 -> 192.168.56.102:49202 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 91.215.85.147:80 -> 192.168.56.102:49197 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49210 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49210 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49215 -> 95.142.206.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49207 -> 194.169.175.138:3002 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49212 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49212 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49214 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49214 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.169.175.138:3002 -> 192.168.56.102:49207 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 194.169.175.138:3002 -> 192.168.56.102:49207 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 194.169.175.138:3002 -> 192.168.56.102:49207 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.102:49217 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49217 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49220 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49213 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49220 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49219 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49226 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49226 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49223 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49223 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49188 -> 77.91.124.40:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49188 -> 77.91.124.40:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49194 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49194 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49228 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 77.91.124.40:80 -> 192.168.56.102:49188 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 77.91.124.40:80 -> 192.168.56.102:49188 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49182 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49198 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49209 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49190 -> 87.120.88.198:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49190 -> 87.120.88.198:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 87.120.88.198:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 87.120.88.198:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49190 -> 87.120.88.198:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 87.120.88.198:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 87.120.88.198:80 -> 192.168.56.102:49190 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 87.120.88.198:80 -> 192.168.56.102:49190 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49227 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49230 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49230 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49233 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:80 -> 192.168.56.102:49200 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49231 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49239 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49218 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49218 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49222 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49225 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49234 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49235 -> 95.142.206.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49236 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49237 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49246 -> 45.15.156.229:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 148.251.234.93:443 -> 192.168.56.102:49259 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49264 -> 147.135.165.22:38685 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.102:49268 -> 176.123.9.85:16482 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 176.123.9.142:14845 -> 192.168.56.102:49270 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 77.91.68.56:19071 -> 192.168.56.102:49272 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 77.91.68.3:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.102:49273 -> 77.91.68.3:80 2045751 ET MALWARE Win32/Amadey Bot Activity (POST) M2 A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49256 -> 104.17.214.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:65488 -> 8.8.8.8:53 2035948 ET POLICY IP Check Domain (iplogger .org in DNS Lookup) Potential Corporate Privacy Violation
TCP 194.26.135.162:2920 -> 192.168.56.102:49261 2400026 ET DROP Spamhaus DROP Listed Traffic Inbound group 27 Misc Attack
TCP 192.168.56.102:49261 -> 194.26.135.162:2920 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 148.251.234.83:443 -> 192.168.56.102:49262 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49253 -> 104.26.5.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49254 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49258 -> 148.251.234.93:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 157.254.164.98:28449 -> 192.168.56.102:49265 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49247 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49247 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49247 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49250 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49250 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49250 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49248 -> 154.221.26.108:80 2045057 ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET) A Network Trojan was detected
TCP 192.168.56.102:49251 -> 104.26.5.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49247 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49260 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49260 -> 148.251.234.83:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49260 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 176.113.115.135:431 -> 192.168.56.102:49281 2400021 ET DROP Spamhaus DROP Listed Traffic Inbound group 22 Misc Attack
TCP 176.113.115.136:431 -> 192.168.56.102:49282 2400021 ET DROP Spamhaus DROP Listed Traffic Inbound group 22 Misc Attack
TCP 192.168.56.102:49276 -> 213.91.128.133:10060 2024792 ET POLICY Cryptocurrency Miner Checkin Potential Corporate Privacy Violation
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 62.122.184.92:431 -> 192.168.56.102:49277 2402000 ET DROP Dshield Block Listed Source group 1 Misc Attack
TCP 176.113.115.85:431 -> 192.168.56.102:49283 2400021 ET DROP Spamhaus DROP Listed Traffic Inbound group 22 Misc Attack
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49247 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 194.195.113.17:443 -> 192.168.56.102:49208 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 194.195.113.17:443 -> 192.168.56.102:49208 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49276 -> 213.91.128.133:10060 2024792 ET POLICY Cryptocurrency Miner Checkin Potential Corporate Privacy Violation
TCP 192.168.56.102:49175 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49174
172.67.75.163:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49215
95.142.206.2:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49182
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49209
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49227
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49233
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49239
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49222
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49225
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49234
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49235
95.142.206.2:443
None None None
TLSv1
192.168.56.102:49237
95.142.206.1:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49253
104.26.5.15:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49254
104.26.4.15:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49251
104.26.5.15:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
suspicious_features Connection to IP address suspicious_request GET http://94.142.138.131/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://94.142.138.131/api/firegate.php
suspicious_features Connection to IP address suspicious_request HEAD http://77.91.124.40/info/photo113.exe
suspicious_features Connection to IP address suspicious_request HEAD http://87.120.88.198/g.exe
suspicious_features Connection to IP address suspicious_request GET http://87.120.88.198/g.exe
suspicious_features Connection to IP address suspicious_request GET http://77.91.124.40/info/photo113.exe
suspicious_features Connection to IP address suspicious_request GET http://176.113.115.84:8080/4.php
suspicious_features Connection to IP address suspicious_request GET http://45.15.156.229/api/tracemap.php
suspicious_features POST method with no referer header suspicious_request POST http://aa.imgjeoogbb.com/check/?sid=461810&key=12d22f1e6641af4b6121fa40717f1c68
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://77.91.68.3/home/love/index.php
request GET http://94.142.138.131/api/tracemap.php
request POST http://94.142.138.131/api/firegate.php
request HEAD http://77.91.124.40/info/photo113.exe
request HEAD http://87.120.88.198/g.exe
request GET http://87.120.88.198/g.exe
request GET http://77.91.124.40/info/photo113.exe
request HEAD http://hugersi.com/dl/6523.exe
request HEAD http://zzz.fhauiehgha.com/m/okka25.exe
request GET http://zzz.fhauiehgha.com/m/okka25.exe
request GET http://176.113.115.84:8080/4.php
request GET http://hugersi.com/dl/6523.exe
request GET http://us.imgjeoigaa.com/sts/imagc.jpg
request GET http://45.15.156.229/api/tracemap.php
request GET http://aa.imgjeoogbb.com/check/safe
request POST http://aa.imgjeoogbb.com/check/?sid=461810&key=12d22f1e6641af4b6121fa40717f1c68
request GET http://www.maxmind.com/geoip/v2.1/city/me
request POST http://77.91.68.3/home/love/index.php
request GET http://www.google.com/
request GET https://api.myip.com/
request GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request GET https://vk.com/doc808950829_664352898?hash=TpvyQqEeYsjdodWTHrXtKlZqBTWVZrPRit56oUnvQNg&dl=sD0PBsoT1zBUSEgqcJWb3g6HPzuBQ8Yjvhr8mqZxT94&api=1&no_preview=1
request GET https://sun6-22.userapi.com/c909218/u808950829/docs/d53/58e33ed5db21/h8d337t1s6ya.bmp?extra=CPXirvuFil6wae1g7IzRKLCuKaBG5TMNvah7vd8GEz_qhtFRRku91mgqgiq76or0u2ti2o0zTN89ctJv3eG53ZlBxfMxw-IYA776yUdrGBSY26Z4EfetiDoRLEeWerrhtc2_i9f6b90E94we8g
request GET https://vk.com/doc808950829_663788437?hash=2eEvnU5tvv0tTTXDhEX8q9Boubn9undHCOt73KTUqzD&dl=EJ05zUitXuxdQoIcYUJ5Zj5KPM6Kzzrdpz0VhUeNkOo&api=1&no_preview=1#WW1
request GET https://vk.com/doc808950829_664207170?hash=kMt7FUJyRMXd3utd25izhIrZbfZfaKJzCnFJqUmY3Sw&dl=uZ3GDnIBuaFj1FCG7xA3gziJZ6Zba8NMATPW6Lqrzb0&api=1&no_preview=1
request GET https://sun6-22.userapi.com/c237331/u808950829/docs/d28/86e75507997e/PMmp.bmp?extra=gA4zaT6Xr3h2ftzx9AuPCMbqvjUtc-wRsrEKNOhevLqt_SZZwdVTPal8iTx6xd2U97xgKU53JupP_eejmSYNdmzSQRzU982T2aZornEsede4YUpcvteGCqHEQW4bsNatQleffyY9lAwLiXRnZg
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request GET https://vk.com/doc808950829_664295976?hash=wWP2uKSW6vc2Zwh4dERWVq2558nuK0zAmie4S5babxg&dl=fnVWutUVH5EHCOnwUxAqrClRC7zCIeOyomm4pfSrZFc&api=1&no_preview=1#rise_test
request GET https://vk.com/doc808950829_664443643?hash=BMSfO07vvSfVgzBLa3AhQ2T8ZfTsYk5klLKtxOZyNZT&dl=PkFfe0R1U4A4nZCFzzMLIHdvp6Lpl8cZoPyc3f4s1g0&api=1&no_preview=1#3
request GET https://sun6-22.userapi.com/c237031/u808950829/docs/d38/ea4433a2b522/RisePro_0_2_9rOsvaKa1eDf138eBlTl.bmp?extra=DnpHLlKvtxovB1KUV49UCSmwoMRpKlllUvvs5vFdMDd9kEn--_oArRN2soMPvOpEI-bb2dSpQpeWyz19HgECB7QD057wQXbgM_yxe6Qe4PwZmwkS5S0weMFY6E7oO0zeiqN5poXsMtje8Ga45g
request GET https://sun6-21.userapi.com/c236331/u808950829/docs/d20/0cef145379dd/3.bmp?extra=sissnLmA8_-6n9mrlaFvFGqsuE8xRQHYK27yqnUnxwCijQuiveAV-H1daYlYFGiEZwSXhdTHhRGRsJ1mxNlypFuQCV04gy5jZ4xe1_1nBm9bazUTI_xskEd39VLXPyTmLgdCohnnm6fC-d9b4Q
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request GET https://db-ip.com/demo/home.php?s=175.208.134.152
request GET https://db-ip.com/
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request POST http://94.142.138.131/api/firegate.php
request POST http://aa.imgjeoogbb.com/check/?sid=461810&key=12d22f1e6641af4b6121fa40717f1c68
request POST http://77.91.68.3/home/love/index.php
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
ip 147.135.165.22
ip 157.254.164.98
ip 176.113.115.84
ip 176.123.9.142
ip 176.123.9.85
ip 194.169.175.128
ip 194.169.175.138
ip 194.26.135.162
ip 213.91.128.133
ip 77.91.68.56
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74062000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737d3000
process_handle: 0xffffffff
1 0 0
domain ipinfo.io
file C:\Users\test22\AppData\Local\Temp\7zE4A3BE98A\File.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeSecurityPrivilege
1 1 0
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
host 147.135.165.22
host 157.254.164.98
host 163.123.143.4
host 176.113.115.135
host 176.113.115.136
host 176.113.115.84
host 176.113.115.85
host 176.123.9.142
host 176.123.9.85
host 194.169.175.128
host 194.169.175.138
host 194.26.135.162
host 45.12.253.74
host 45.143.201.238
host 45.15.156.229
host 62.122.184.92
host 77.91.124.40
host 77.91.68.3
host 77.91.68.56
host 80.66.75.254
host 80.66.75.4
host 87.120.88.198
host 94.142.138.131
dead_host 194.169.175.138:80
dead_host 45.12.253.74:80
dead_host 176.113.115.84:80
dead_host 192.168.56.102:49186
dead_host 163.123.143.4:80
dead_host 192.168.56.102:49189